These kinds of brute-force attacks are the ones people talk about, but there are much easier ways.

You can be fooled or coerced into giving up your password. (See, for example, http://xkcd.com/538/) . Fooling people into giving up their passwords (“Your account will be suspended unless you reregister with our service”) is a form of social engineering .

Someone who knows you can use information they know about you to get your password reset.

Somebody could find where you wrote down your passwords.

Somebody (maybe a virus) could install a keylogger on your computer that records your keystrokes and sends it to another location. Once a keylogger is on your system you are in trouble.

In general, password length matters more than complexity, but both are helpful:

A 6 character password that is made of random numbers, letters, and symbols has (26 + 26 + 10 + 32)^6 possibilities, which is about 690 billion. A 25 character password made of a random combination of 3 letters has 3^25 possibilities, which is about 847 billion.

Generating and Managing Passwords

One problem with passwords is that there are too many of them!

If you keep the number of passwords small by reusing them then one leaked password can jeopardize other things you care about. For example, here is a comic that shows one possible danger: http://xkcd.com/792

If you keep the number of passwords large you need to remember or manage them somehow.

Different passwords have different importance, and are used in different ways:

Some passwords are critical, and if you lose them then there are important consequences.

Passwords that you use every day are better candidates for memorization than passwords you use infrequently.

Some passwords need to be typed in manually. Others can be copy-and-pasted from a file.

Some passwords must be typed in manually, and are used on devices where you might not have access to electronic files. These passwords can be memorized or written down.

Infrequently-entered passwords (e.g. wifi passwords) can be more complicated than those you need to enter in often.

In general, you want the strongest passwords that are managable for you:

The most important passwords you use should all be different from each other.

Whenever possible, passwords should be both long and complicated. If
there is a conflict, long matters more than complicated.

Choosing two unrelated phrases and concatenating them together, perhaps with numbers and symbols: “Mary had a little lamb” + “A stitch in time saves nine” –> “Mary had a little stitch in time saves nine” –> “Mary had 729 a little stitch in ^^ time saves nine”

Taking the first letters of phrases or song lyrics (but make sure these passwords are not too short!): “We hung around every single moment, because that’s what we thought married people do” –> “We hung around every single moment ,because that’s what we thought married people do” –> “Whaesm,btwwtmpd”

Don’t forget that you can combine these techniques or use others.

If you will have to use passwords on a variety of computers where you cannot run your own software, then memorizing passwords might be necessary. You can also write down passwords in a secure location that you are unlikely to lose (e.g. your wallet, your day planner).

If you are writing passwords down it is best NOT to write down the usernames and purposes of the passwords in the same place.

Thinking About Security

Protecting Resources

Thinking about security starts with thinking about your computing resources, and what you want to protect.

Your online identity or reputation

Computing power

Assets like your bank account or World of Warcraft character

Access to your social networks

Your personal data

Bandwidth on your Internet connection

Once you know what resources are involved, you can think about how to protect those resources:

Who has access to the resources? You? Family members? Friends? Your workplace? The entire internet?

Who do you trust? Who is trustworthy?

How much time and effort are you willing to put into protecting these resources? (Don’t underestimate how much you want to protect your data.)

Rules of Thumb

Here are a few common principles you might encounter:

The Principle of Least Privilege states that you should carry out tasks with as few privileges as possible, which makes it less likely to do damage.

Reducing the Attack Surface of an application/service means reducing the number of ways that service communicates (and thus the number of ways that people could break into that service)

Defence in Depth states that it is better to have several independent types of protection for a resource than depending on only one form of protection.

Security Traps

Thinking about security quickly gets overwhelming. It is easy to throw your hands up in despair. How can you avoid this?

Avoid black and white thinking. Security experts spend a lot of attention thinking about worst case scenarios, and are dismissive of half-measures. But security is always a tradeoff.

Learn enough about technology to understand the threats and risks involved.

Evaluate your use of technology. Avoiding technology entirely is difficult and ill-advised, but you can resist the pressure to follow every technological trend.

Figure out the resources that are most important to you, and focus your attention in improving those areas.

Figure out the more common security compromises, and focus on those. For example, fake antivirus programs and e-mail hacking are popular these days, but people breaking into your house and taking your computer is less popular (hopefully).

Don’t fall into the trap of thinking that your data is not important enough to steal. Often attackers are looking for easy targets, not particular people.

Make sure you have the easy stuff covered. Is your software legal? Is it up to date? Are your most important passwords long and strong?

Turn to friends and other “computer people” to help you evaluate security threats (but beware bad advice — there is a lot out there).

Don’t forget that you need to be able to access the resources you care about! You can make security so cumbersome that actually using the resources is difficult.

Homework

Audit your password practices according to the questions in the first section of the “Passwords” section. What improvements do need to make?

What resources related to computers do you value? What would happen if you were to lose access to these resources? How are you currently protecting these resources?

Related

Post navigation

3 responses

commercial password crackers are far behind ighashgpu and hashcat. when it comes to “can guess passwords more effectively” there is nothing that can compete with hashcat – which is the reason why they won the defcon twice.